[英]Use aws cli to add a statement to an existing S3 bucket policy
假设我已经有一个附加到存储桶的策略,例如:
{
"Version": "2012-10-17",
"Id": "123",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::9876543211:someuser"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
}
]
}
我想更新此政策,以便强制执行 SSL(即我希望上面的声明保持不变)。
如何使用aws
cli 以使我的策略最终看起来像这样:
{
"Version": "2012-10-17",
"Id": "123",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::9876543211:someuser"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
},
{
"Action": "s3:*",
"Effect":"Deny",
"Principal": "*",
"Resource":"arn:aws:s3:::my-bucket/*",
"Condition":{
"Bool":
{ "aws:SecureTransport": false }
}
}
]
}
如果您想附加\更新内联策略,您可以使用aws iam put-role-policy命令。
描述:
添加或更新嵌入在指定 IAM 角色中的内联策略文档。
用法:
cat > policy-name.json << EOF
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "Stmt1572432380474",
"Action": "s3:*",
"Effect": "Allow",
"Resource": "arn:aws:s3:::my-bucket/*",
"Condition": {
"Bool": {
"aws:SecureTransport": "false"
}
}
}
]
}
EOF
aws iam put-role-policy \
--role-name ${ROLE_NAME} \
--policy-name policy-name \
--policy-document file://policy-name.json
如果您想更新托管策略,请使用aws organizations update-policy命令。
描述:
使用新名称、描述或内容更新现有策略。 如果您不提供任何参数,则该值保持不变。 您不能更改策略的类型。
用法:
aws organizations update-policy \
--policy-id policy-id \
--content "{
"Version": "2012-10-17",
"Id": "123",
"Statement": [
{
"Effect": "Deny",
"Principal": {
"AWS": "arn:aws:iam::9876543211:someuser"
},
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::my-bucket",
"arn:aws:s3:::my-bucket/*"
]
},
{
"Action": "s3:*",
"Effect":"Deny",
"Principal": "*",
"Resource":"arn:aws:s3:::my-bucket/*",
"Condition":{
"Bool":
{ "aws:SecureTransport": false }
}
}
]
}
"
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.